계: Environment

이 섹션에는 소스 코드 외부에 있지만 제작 중인 제품의 보안에는 여전히 중요한 내용이 모두 포함되어 있습니다. 이 섹션에서 다루는 문제들은 소스 코드와 직접적으로 관련이 없기 때문에 나머지 섹션과 분리했습니다.

WCF Misconfiguration: Throttling Not Enabled

C#/VB.NET/ASP.NET

Abstract

시스템 리소스 사용에 제한을 두지 않으면 리소스가 고갈되어 궁극적으로 Denial of Service가 발생할 수 있습니다.

Explanation

WCF(Windows Communication Foundation)는 서비스 요청을 제한하는 기능을 제공합니다. 너무 많은 클라이언트 요청을 허용하면 시스템에 과부하가 걸리고 리소스가 고갈될 수 있습니다. 반면에 서비스에 대한 요청을 소수만 허용하면 합법적인 사용자가 서비스를 사용하지 못하게 될 수 있습니다. 적절한 양의 리소스를 허용하도록 각 서비스를 개별적으로 조정하고 구성해야 합니다.

References

[1] Microsoft

[2] Standards Mapping - Common Weakness Enumeration CWE ID 400, CWE ID 770

[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [20] CWE ID 400

[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [23] CWE ID 400

[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [23] CWE ID 400

[6] Standards Mapping - Common Weakness Enumeration Top 25 2024 [24] CWE ID 400

[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094

[8] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)

[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection

[11] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.1.4 General Data Protection (L2 L3), 11.1.3 Business Logic Security Requirements (L1 L2 L3), 11.1.4 Business Logic Security Requirements (L1 L2 L3), 12.1.1 File Upload Requirements (L1 L2 L3), 12.1.3 File Upload Requirements (L2 L3), 13.2.4 RESTful Web Service Verification Requirements (L2 L3)

[13] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[14] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service

[15] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[16] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[17] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9

[19] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 770

[20] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II

[21] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II, APP3760 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II, APP3760 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II, APP3760 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II, APP3760 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II, APP3760 CAT II

[26] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II, APP3760 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002400 CAT II

[43] Standards Mapping - Web Application Security Consortium Version 2.00 Brute Force (WASC-11), Insufficient Anti-automation (WASC-21)

[44] Standards Mapping - Web Application Security Consortium 24 + 2 Brute Force, Insufficient Anti-automation

desc.config.dotnet.wcf_misconfiguration_throttling_not_enabled